As we reported Wednesday, students have noticed a sudden influx of emails from a website called ClusterFlunk advertising networking services. Although junk email plagues everyone, Webmail’s spam filter usually catches them. However, as in this case, messages occasionally trickle through, reminding us that personal data — such as students’ university email addresses — are public knowledge.
The federal law protecting students’ information, the Family Educational Rights and Privacy Act, allows schools to give outside parties access to student information as long as it falls under the category of “directory information.” At UF, $100 gets you students’ name, email address, phone number, major, class and college, enrollment status and other nuggets of info concerning student life.
UF isn’t doing anything wrong when it provides advertisers with student information. FERPA stipulates that directory information may be granted to those who request it from a university without the student’s permission.
But according to Educause, in recent years, the U.S. Department of Education has amended FERPA’s regulations and allowed for an increase of private companies’ and third parties’ access to student data.
“The 2008 changes expanded the definition of ‘school officials’ to include ‘contractors, consultants, volunteers, and other parties to whom an educational agency or institution has outsourced institutional services or functions it would otherwise use employees to perform,’” Marc Rotenberg, the executive director of the Electronic Privacy Information Center, wrote. “This amendment gives companies like Google and Parchment access to education records and other private student information.”
Google’s increased access to student data has landed the company in some trouble: The Internet conglomerate is currently facing a lawsuit concerning its mass scanning of student emails to deliver ads, according to the Guardian.
This is hardly what lawmakers envisioned when they designed FERPA. Rotenberg wrote, “When FERPA was enacted almost forty years ago, Congress made it clear that students’ personal information should not be made widely available. Congress was particularly concerned that if student records fell into the hands of private parties, these records could hurt students later in life when, for example, students were seeking jobs.”
Clearly, FERPA needs to be tightened up.
First of all, students at public universities should be notified when someone — whether it be a parent, potential employer or ClusterFlunk marketer — requests his or her directory information. This is as much a safety issue as it is a privacy issue because your local and permanent addresses fall under the directory umbrella. If someone you don’t know can access your home address, wouldn’t you want to know?
Students should have the option to opt in rather than manually unsubscribing from ads whose creators obtained data without their knowledge. In addition, advertisers should have a monthly cap on how many emails they may send. We think it’s high time for better regulations to be enacted.
[A version of this editorial ran on page 6 on 4/3/2014 under the headline "Get-the-flunk-out-of-my-inbox: FERPA needs revamp"]
